Date: Wed, 16 Sep 2020 22:55:27 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r365819 - in stable: 11/lib/libc/stdlib 12/lib/libc/stdlib Message-ID: <202009162255.08GMtR2B082792@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Wed Sep 16 22:55:27 2020 New Revision: 365819 URL: https://svnweb.freebsd.org/changeset/base/365819 Log: MFC 365276: Compute the correct size of the string to move forward. Previously this was counting the amount of spare room at the start of the buffer that the string needed to move forward and passing that as the number of bytes to copy to memmove rather than the length of the string to be copied. In the strfmon test in the test suite this caused the memmove to overflow the allocated buffer by one byte which CHERI caught. Modified: stable/12/lib/libc/stdlib/strfmon.c Directory Properties: stable/12/ (props changed) Changes in other areas also in this revision: Modified: stable/11/lib/libc/stdlib/strfmon.c Directory Properties: stable/11/ (props changed) Modified: stable/12/lib/libc/stdlib/strfmon.c ============================================================================== --- stable/12/lib/libc/stdlib/strfmon.c Wed Sep 16 22:42:27 2020 (r365818) +++ stable/12/lib/libc/stdlib/strfmon.c Wed Sep 16 22:55:27 2020 (r365819) @@ -636,7 +636,7 @@ __format_grouped_double(double value, int *flags, memset(bufend, pad_char, padded); } - bufsize = bufsize - (bufend - rslt) + 1; + bufsize = rslt + bufsize - bufend; memmove(rslt, bufend, bufsize); free(avalue); return (rslt);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009162255.08GMtR2B082792>